Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

AntiVirus-Gold [RESOLVED]

SpyWareSucks

Posted 18 June 2005 - 11:59 AM

SpyWareSucks

Member

Member

16 posts

I have got this black screen on my desktop saying "WARNING YOUR IN DANGER!" And then it goes on to tell me to secure myself right now by clicking on the link to the Antivirus-Gold webpage. (pretty lame for an antivirus software company to create spyware and a virus to try to get business, kind of reminds me of the windshield repair man breaking windshields in the middle of the night so he can get some business.) But anyway, when this thing took over my computer I did the normal scans with Adaware, Spybot, Norton AntiVirus 2005 and I thought I had removed everything. I rebooted my computer and I got the dreaded blue screen with text on it saying

" a fatal error has occured at 0028:C0011E36 in VXD VMM<01> + 00010E36. Error was caused by TROJAN-SPY.HTML.SMITHFRAUD.C. *system cannot function in normal mode. Please check your security settings.* Scan your PC with any available antivirus/spyware remover program to fix the problem.

So I did all the scans again. I tried to update definition for spyware program and Norton. Everytime I tried to download latest definitions for Norton AntiVirus I was disconected from the internet. ( dial up <--- depresing but all I can get ) But Norton did locate 4 viruses. W32.Dedler.Worm, Backdoor.Trojan, Trojan.Webus, and Trojan.ByteVerify. Norton did delete them automatically but they reappered while I was scaning with Trend Housecall. I also got a "Network Fatal error at 00FF:2348AD" warning telling me my network wasn't secure, and I got an "IEXPLORE>EXE application error saying the instruction at 0x73ddlc9d referenced memory at 0x0000038 could not be read.

Michelle

Posted 15 July 2005 - 08:44 PM

Michelle

Malware Removal Goddess

Retired Staff

8,928 posts

I will analyze your log thoroughly and be back here in just a bit (tonight!) and I do see a bunch of legit programs on startup that don't need to be there. We can remove those from startup to optimize your system as well.

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime <-System tray icon for quicktimes. Can be run by going to Start > All Programs.O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe <-Updater for Sun Java, but obviously it isn't working because your Java is pretty outdated! Can be updated by going to Start > Control Panel.O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe <-System tray icon for Yahoo browser. Can be run from desktop icon or Start > All Programs.O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" <-IP Insight is a Quality of Service monitor and diagnostic tool that isn't required.O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe <-MS Works Update Detection. MS Picture It! (versions 7 to current) uses this automatic update feature during the log on process. It can also cause your system to automatically dial into your ISP as it tries to access the internet. Can be updated by going to Microsoft's Office/Works update site.O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe <-Checks for updates for MS Works. Not needed on startup.

Michelle

Posted 16 July 2005 - 01:08 PM

Michelle

Malware Removal Goddess

Retired Staff

8,928 posts

Copy everything in the code box below (starting with REGEDIT4) and paste it into Notepad. Go up to "File > Save As", then click the drop-down box to change the "Save As Type" to "All Files". Save it as fixme.reg on your desktop.

SpyWareSucks

Posted 16 July 2005 - 08:51 PM

SpyWareSucks

Member

Topic Starter

Member

16 posts

Ok, I have deleted the items you said to, but when I was looking for the ActiveX.inf in the C:\WINDOWS\Downloaded Program Files folder I did not see it. The only two files that have "Active..." in them are a file named "ActiveDataInfo Class" and one named "ActiveScan Installer Class." I did a new Panda scan and it still shows the file ActiveX.inf there in the folder twice on the scan, but they are not visible and I have the Show Hidden files and folders option selected in folder options checked. Is the ActiveX.inf file that Panda shows in the scan log refering to the two files ActiveDataInfo Class and ActiveScan Installer Class? Here is a log of the new Panda scan along with a new HijackThis scan.

Michelle

Posted 16 July 2005 - 09:07 PM

Michelle

Malware Removal Goddess

Retired Staff

8,928 posts

Don't worry we'll use killbox on them and if they are actually there they will be deleted by Killbox

Copy everything in the code box below (starting with REGEDIT4) and paste it into Notepad. Go up to "File > Save As", then click the drop-down box to change the "Save As Type" to "All Files". Save it as fixme1.reg on your desktop.

SpyWareSucks

Posted 17 July 2005 - 07:09 AM

SpyWareSucks

Member

Topic Starter

Member

16 posts

Here is a new Panda Active Scan log

Incident Status Location

Adware:Adware/WUpd No disinfected C:\!Submit\ActiveX.inf

Killbox removed the other ActiveX.inf files, but now the same file showed up in this new location. Does this thing keep moving around to hide itself? I located the folder and file and both are visible unlike last time.

How to use Spybot to remove Spyware<=If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

Prevention Programs:

Spywareblaster<=SpywareBlaster will prevent spyware from being installed.

MVPS Hosts file<=The MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer